Abstract
LaGrande Technology (LT) is a highly versatile set of hardware enhancements that will come to Intel processors, chipsets and platforms over the next 2 to 3 years. LT creates a hardware foundation, on the client PC platform, that can help protect the confidentiality and integrity of data stored or created from software based attacks. It does this by enabling an environment where applications can run within their own space, protected from all other software on the system. In turn, this can help to protect vital data and processes from being compromised by malicious software running on the platform. LT features include capabilities in the microprocessor, chipset, I/O subsystems, and other platform components. When coupled with an LT enabled operating system and LT enabled applications, LT can help protect the confidentiality and integrity of data in the face of these increasingly hostile security environments. LT provides a versatile, general-purpose safer computing environment capable of running a wide variety of operating systems and applications. LT is expected to be available in Desktop & Mobile platforms for the Business segment in approximately the next two to three years.
Introduction
Trusted Computing
The Trusted Computing Group (TCG) is an alliance of Microsoft, Intel, IBM, HP and AMD which promotes a standard for a 'more secure' PC. Their definition of 'security' is controversial; machines built according to their specification will be more trustworthy from the point of view of software vendors and the content industry, but will be less trustworthy from the point of view of their owners. In effect, the TCG specification will transfer the ultimate control of your PC from you to whoever wrote the software it happens to be running.
TC provides a computing platform on which you can't tamper with the application software, and where these applications can communicate securely with their authors and with each other. The original motivation was digital rights management (DRM): Disney will be able to sell you DVDs that will decrypt and run on a TC platform, but which you won't be able to copy. The music industry will be able to sell you music downloads that you won't be able to swap. They will be able to sell you CDs that you'll only be able to play three times, or only on your birthday. All sorts of new marketing possibilities will open up.
TC will also make it much harder for you to run unlicensed software. In the first version of TC, pirate software could be detected and deleted remotely. TC will protect application software registration mechanisms, so that unlicensed software will be locked out of the new ecology. Furthermore, TC apps will work better with other TC apps, so people will get less value from old non-TC apps (including pirate apps). Also, some TC apps may reject data from old apps whose serial numbers have been blacklisted. TC will also make it easier for people to rent software rather than buy it; and if you stop paying the rent, then not only does the software stop working but so may the files it created. So if you stop paying for upgrades to Media Player, you may lose access to all the songs you bought using it.
There are many other possibilities. Governments will be able to arrange things so that all Word documents created on civil servants' PCs are 'born classified' and can't be leaked electronically to journalists. Auction sites might insist that you use trusted proxy software forbidding, so that you can't bid tactically at the auction.
The Need for Safe, Protected Computing
It clear we live in a hacker's world. Legions of hackers seem to have little else to do with their time than harass the rest of us, sometimes for kicks, sometimes to prove a cause, and sometimes to do serious damage. Some hacking might be aimed at specific companies or governments, or possibly be terrorist-related, but the nastiest of the hacker attacks steal our personal information and/or sensitive data by a variety of snooping methods. Viruses, worms, and trojans that exploit security holes in operating system software have infected millions of systems, causing significant headaches, cleanup time, and financial loss. Microsoft, Intel, and many others are developing protected computing environments to combat hacker attacks, while also providing secure computing for sensitive data processing and e-commerce transactions. Platform stability is improved when applications are run in a protected partition.
While protection methods are not foolproof, NGSCB and LaGrande have well thought-out frameworks, and are highly-engineered defensive systems that once deployed, should protect the majority of end users and businesses from software attacks. In fact, Intel and Microsoft stress these technologies protect against software attacks, not hardware attacks. Many attacks waged on our computers are from anonymous sources and are software-based. Certainly your system may be physically compromised or stolen, and operating system and/ or internal hardware protection systems are of little help beyond encrypting your critical data, if you choose to use such features. As Intel security architect David Grawrock mentioned during his LaGrande architecture course at IDF, you won't see too many people snooping your front-side bus with a logic analyzer.
In the interest of timeliness and accuracy, I'll replay many slides from two IDF presentations - "LaGrande Technology and Safer Computing Overview" by Mike Ferron-Jones, Intel's Desktop Security Technologies Marketing Manager, and Luke Girard, Intel's Desktop Security Technologies Product Marketing Engineer, and "LaGrande Architecture" delivered by David Grawrock.
Layers or levels of protection are required to secure a computing platform. Software
methods must be supplemented by hardware security. You're likely familiar with smart cards,
and you'll soon heara lot more about the "Trusted Platform Module" orTPM, which is a chip
that stores unique platform information and encryption keys, and includes a random number
generator for encryption algorithms. LaGrande is hardware-based protection, and it raises
the overall level of protection significantly
Vulnerabilities of the PC Today
Sample of Common Vulnerabilities
Usar Output
- Acc*ss to graphics (rami bufftr ' Result; Software can see or change
Memory
Ring 0 access to memory
Result: Software can snoop thru the memory to find, capture, and alter settings, data, passwords. Keys, etc.
what the user sees
Vulnerable to SW attack
USB
Vulnerable to SW attack
DMA controller access to memory
Result: Software can access protected memory directly with DMA controller.
user input
Access to Keyboard & mousi data
Result: Software can see or change what the user is typing
Forum
Below we can see where LaGrande technology will be most useful. Note on the y-axis that "LT means LaGrande Technology, not Lawrence Taylor. Clearly, the techies or marketing types at Intel who developed this acronym are not NY Giant fans, and did not expect people to visualize a linebacker, instead of a security technology, every time the term LTwas presented. But you can see that software-based attacks are the prime focus, and most of the expected areas (data, mail, e-commerce) can-be protected.
Features of Trusted Computing Secure Booting
Part of the heritage of TC computing products is a paper by Butler Lampson [provide link] which describes the techniques TC implements. Additionally, there is a paper called "Secure Booting" by Bill Arbaugh and Dave Farber (who is an EFF board member) which discusses some TC techniques.
To provide a secure bootstrapping process, the hardware must know something about the software it loads. The TPM contains platform configuration registers4 (PCR) for this purpose. They store cryptographic hashesS of each of the pieces of code loaded at system start time. Each piece of code can check the hash of the code that loaded before it, and make a decision based on that. The PCRs can only be written to by the TPM, but can be read by all software. PCR 0 (the first PCR) contains a number installed by the hardware vendor and is called the root of trust for measurement (RTM). This mechanism can provide protection from boot viruses as follows:
1. At boot time, the TPM generates a hash of the boot virus, installs the hash in PCR 1, and loads the boot virus.
2. The boot virus mayor may not make use of the value in PCRO.
3. The boot virus will ask the TPM to load the operating system. The TPM generates a hash of the OS kernel referred to by the virus, installs it into PCR 2, and loads
the kernel.
4. The kernel checks the value of PC R 1 ag a i n st its own data base of accepta ble values. There is a vanishingly small probability that the boot virus will hash to a value in the kernel's database. Therefore the operating system "knows" that it has been loaded by untrusted code, and can take whatever action it has been programmed to do.
Now, it is possible that the boot virus will reference a malicious operating system kernel that has been programmed either to recognize the boot virus' hash as valid, or to fail to take the appropriate action when the virus is detected. However, application code (both local and remote) can be written to check the hash of the operating system in the PCR, and determine for itself if the operating system can be trusted.
Another potential problem is one of user interface. Assume that the operating system is designed to present some kind of notification to the user that it does or does not trust the values in the PCRs. A compromised OS could present false symbols to the user! Seth posed this problem to representatives of Microsoft, and got a three-part answer. First, the PCRs are primarily intended for remote attestation; that is, remote application software (like a web server) can check the contents of the PCRs in your machine. Second, the user could decide at the time the OS is installed what the symbols for representing trusted and untrusted PCR values are, and an attacker would not be able to easily learn them. Third, as with SSH host keys or HTTPS server certificates, PCRs provide proof of software consistency overtime. They are a way to detect if the software configuration has changed.
Sealed Storage
Sealed storage is a storage system that allows reading and/or writing to storage medium if and only if the PCR registers have certain values. Therefore, only trusted software can access sealed storage. With sealed storage, the data is encrypted with a key based on the contents of the PCRs and a random number built into the TPM (each TPM is imprinted with a different random number). Note that this means you cannot restore data stored in sealed storage by installing the storage medium in a computer with a different TPM!
Remote Attestation
The TPM includes a "signing key" for generating cryptographic signatures, and this key is itself signed by the TPM manufacturer. Using this key, it is possible to verify the identity of the machine and the capabilities and integrity of the software it is running. In effect, you can use the key to establish trust, even between two computers connected by a network. You can also use remote attestation to detect if the hardware has been tampered with.
Of course a lot still depends on the trustworthiness of the software the machine is running. If the software doing the attestation has a buffer overflow vulnerability or the like, it may be tricked.
Remote attestation is also "good" for defending against the owner of the computer. For example, a server could deny service to a client computer if the client does not pass the attestation test. This has wonderful implications for Microsoft: vendor lock-in and breaking interoperability. It can also be used to enforce digital restrictions management (DRM) policies.
Memory Curtaining
In existing computers, any hardware device or device driver can access any region of the computer's memory. (This is called direct memory access, or DMA). TC provides memory curtaining, by which software developers can designate certain regions of memory inaccessible to hardware or other software. This is stronger than the protection provided by the memory management unit (MMU) that is part of most current computers; it's more like adding a new privilege ring to the CPU. Ross Anderson calls it "ring -1", suggesting that it is more privileged than ring 0.
On the right side are two new privilege classes: the Nexus (previously known as the trusted operating root or TOR), and the Nexus computing agents (NCA) (previously known as trusted agents or TAs). While highly important, the NCAs possess the least degree of privilege. The NCAs are very small units of software that make requests of the TPM on behalf of user software; these requests must then be passed through the Nexus, which is the only software allowed to talk directly to the TPM.
Memory curtaining protects each of the quadrants from each other, and each of the NCAs from each other.
Each NCA is identified to the Nexus by a hash. Via the TPM, NCAs can download . or get encrypted code and execute it — a level of obscurity beyond even that of object code. On the bright side, NCAs cannot talk directly to hardware.
Secure I/O
Only the Nexus talks to the user interface devices attached to the computer: the keyboard, mouse and display. From the point of view of other software components, user interface I/O is "unobscurable" and "undiscoverable". Thus the applications and kernel cannot interfere with interactions between the user and NCAs. Curtained memory prevents user or kernel code from seeing what NCAs are doing, if they encrypt their messages to the hardware.
Trusted Computing Products
There exist four real designs for TC products.
The Trusted Computing Group (TCG)
Nee Trusted Computing Platform Alliance (TCPA), this committee has produced a design for a chip called the trusted platform module (TPM) or trusted computing base (TCB). You can buy real TPM-equipped computers at this time.
Intel's LaGrande Technology (LTJ
T creates a hardware foundation, on the client PC platform, that can help protect the confidentiality and integrity of data stored or created from software based attacks. LT is the best solution for protecting our PCs against virus programs and hackers.
AMD's Secure Execution Mode (SEM)
AMD claims that SEM is equivalent toLT, but Seth can't verify that claim.
Microsoft's Next Generation Secure Computing Base (NGSCB)
Nee Palladium. Seth provides two silly jokes about Palladium: (1) Just like the statue of Athena in ancient Greece, which was called the Palladium, Microsoft's Palladium will provide inadequate protection against Trojans; (2) Just like the metal, Palladium will be expensive and toxic.
LaGrande Technology Summary
LT is a set of enhanced hardware components designed to help protect sensitive information from software-based attacks. LT features include capabilities in the microprocessor, chipset, I/O subsystems, and other platform components. When coupled with an LT enabled operating system and LT enabled applications, LT can help protect the confidentiality and integrity of data in the face of these increasingly hostile security environments.
LT provides a versatile, general-purpose safer computing environment capable of running a wide variety of operating systems and applications. Intel is initially targeting LT for applications in the business segment.
LaGrande Objectives and Components
At the highest level, the following slide discusses LaGrande objectives. Note that compatibility and performance are not supposed to be compromised. We'll understand if this is true when we see operating systems interacting with processors implementing LaGrande technology a few years from now. The upcoming Prescott processor is supposed to have LaGrande features built-in, but not activated (similar to the way initial P4s had Hyper-Threading embedded but not activated). Intel does not expect to activate LaGrande technology in processors for a few more years.
LaGrande Technology Objectives
Protect:
Confidential corporate & personal data
Sensitive communications
E-commerce transactions
From:
Attack software on the system - Attack software on the network
Inadvertent exposure due to compromised software Without compromising:
Ease of Use
Performance
Manageability
Versatility
Privacy
Backwards compatibility
Greater data protection with the flexibility & productivity of PC computing
Applying LT to Business Security
Protect User & Company Data
Enhanced rile access mgmt
End-to-end encrypted mail
Protected document viewer
Some Usage Examples
Network Access Control
Hardened VPN • Credential & Identity mgmt - Strengthened platform & user
authentication
tT policy compliance checking
Protected Transactions
Protected Input, authorization and signature processes
Malicious Software Protection
Protect virus scanner & signatures
Harden Intrusion detection software
LT can strengthen existing security measures and enable new usages
irry
r~~wwm
|r>wj)o-o;=-r forum —
As discussed previously, to provide complete platform security and protection, hardware mechanisms must supplement software systems. While NGSCB provides a secure "nexus" or protected kernel, and NGSCB computing agents (programs) execute in a secured manner, certain hardware protections are required. The term attestation means that the system can validate that a process or system is who it says it is, or that you are who you say you are. While Microsoft discusses attestation, sealed storage, protected execution, and protected input/graphics in much detail related to NGSCB in their white papers and presentations, they did not discuss specific processor features required to make the whole thing work. And neither did Intel in the past, until this week.
Understand that Intel could have given much more detail, but they are saving it for future public disclosures. Clearly AMD is also working on such technology, and Intel only gives as much info publicly as they believe developers need to know in an open forum. Developers likely can receive much more information under non-disclosure agreements (NDAs).
How LT Mitigates Vulnerabilities
LT memory protection prevents unauthorized apps from viewing or modifying protected pages
Protected Graphics generated from the protected partition not visible to regular software
LT platform creates a safer environment for valuable business data, transactions & processes
Forum-i
Protected channel to keyboard defends against keyboard snooping and/or modification of keystrokes
LT Architecture Overview
The LT based platform delivers a number of key capabilities to the platform. These capabilities, when combined, deliver the protections that will be critical to evolve the IA-32 platform. The capabilities include:
Protected Execution
Provides applications with the ability to run in isolated protected execution environments such that no other unauthorized software on the platform can observe or compromise the information being operated upon. Each of these isolated environments has dedicated resources that are managed by the processor, chipset and OS kernel.
Protecte
Attacker
Application
platform
Many attacks simply read the memory of the application '
What Is needed Is some way to protect application from attacker
Protected execution keeps resources of the application from the attacker
Protected execution requires hardware support
LaGrande Technology (LT) Protected Execution is an implementation of domain separation
Sealed storage
Provides for the ability to encrypt and store keys, data or other secrets within hardware on the platform. It does this in such a way that these secrets can only be released (decrypted) to an executing environment that is the same as when the secrets were encrypted. This helps prevent attacks exploiting the vulnerability where the encrypted data has been transferred to other platforms either for normal use (thereby become decrypted) or for malicious attack.
Sealed Storage
Platform
Application
Sealed storage Is the combination of measurements and encryption
Seal some data such that the data is only available (unsealed) when the indicated measurement is present on the TPM
Powerful technique to ensure that data Is only available to a known environment
Sealing data to the brick wall ensures that the data is only available to the same brick wall
Changes in the wall change the measurement and make the data unavailable
TPM Provides Attestation and Sealed Storage
Protected Input: Provides a mechanism that protects communication between the keyboard/mouse and applications running in the protected execution environments from being observed or compromised by any other unauthorized software running on the platform. For USB input, LT does this by cryptograph ically encrypting the keystrokes and mouse clicks with an encryption key shared between a protected domain's input manager and an input device. Only applications that have the correct encryption key can decrypt and use the transported data.
Protected Input
Create trusted channel between keyboard and keyboard manager
Mouse and mouse manager also need a trusted channel
A LaGrande platform will provide the hardware hooks necessary to create the trusted channel
OS needs to support use Input manager In protected execution
Need new input device that supports the creation of the trusted channel
Many ways to solve the channel creation Issues Application responsibility to create trusted path
Protected graphics: Provides a mechanism that enables applications running within the protected execution environment to send display information to the graphics frame buffer without being observed or compromised by any other unauthorized software running on the platform. This is done by creating a more protected pathway between an application or software agent and the output display context (such as a window object).
Attestation: Enables a system to provide assurance that the LT protected environment was correctly invoked. It also provides the ability to provide a measurement of the software running in the protected space. The information exchanged during an attestation function is called an Attestation Identity Key credential and is used to help establish mutual trust between parties.
Attestation
Platform
Application
Prove platform properties
Hardware nature of platform
Current running configuration
How was the brick wall built
Attestation requires
Accurate measurement
Storage of the measurement
Verifiable report of the measurement
A Trusted Platform Module (TPM) provides these capabilities Attestation device needs to provide the assurances that the storage and reporting mechanisms are properly protected
Knowing what the brick wall Is allows for the wall to report on applications protected by the wall
Protected Launch: Provides forthe controlled launch and registration of the critical OS and system software components in a protected execution environment.
LaGrande is OS-agnostic per Intel, as you can see in the comments in the slide
below.
Trusted Platform Architecture Review
Intel reviewed the core features of a trusted computing environment to prepare us for more details of LaGrande hardware features. The slides below are similar to what Microsoft presented at WinHEC when discussing the platform attributes of NGSCB, and we'll present the slides here for your review.
First, let's look at the LT security feature overview, which includes protected execution, attestation, sealed storage, and protected input/output. Essentially the same stuff as with NGSCB.
Feature Why is this Important'
Protected Execution Platform subset where SW runs w/o interference or observation.
LT Security Features
And here's a review of some common forms of attack, and what's needed to protect yourcomputer.
Entering The Password
1 Read password in memory Defend using protected execution
2 Sniff password from keyboard Defend using trusted input
3 Fake login screen Defend using trusted output
4 Change application to ignore password entry Defend using protected execution
1 ^ Software Attacks Mitigated
Implementation of an LT-enabled platform requires a number of hardware enhancements (see Figure 1). Key hardware elements of the LT based platform are:
Processor: Extensions to the IA-32 architecture allow for the creation of multiple execution environments, or partitions. This allows for the coexistence of a standard (legacy) partition and a protected partition, where software can run in isolation in the protected partition, free from being observed or compromised by other software running on the platform. Access to hardware resources (such as memory) is hardened by enhancements in the processor and chipset hardware. Other processor enhancements include: (1) event handling, to reduce the vulnerability of data exposed through system events, (2) instructions to manage the protected execution environment, (3) and instructions to establish a more secure software stack.
Chipset: Extensions to the chipset deliver support for key elements of this new, more protected platform. They include: (1) the capability to enforce memory protection policy, (2) enhancements to protect data access from memory, (3) protected channels to graphics and input/output devices, (4) and interfaces to the Trusted Platform Module .
Keyboard and Mouse: Enhancements to the keyboard and mouse enable communication between these input devices and applications running in a protected partition to take place without being observed or compromised by unauthorized software running on the platform.
Graphics: Enhancements to the graphic subsystem enable applications running within a protected partition to send display information to the graphics frame buffer without being observed or compromised by unauthorized software running on the platform.
The TPM v. 1.2 device: Also called the Fixed Token, is bound to the platform and connected to the PC's LPC bus. The TPM provides the hardware-based mechanism to store or 'seal' keys and other data to the platform. It also provides the hardware mechanism to report platform attestations.
The LaGrande Technology Protection Model
LT provides a set of capabilities that can be utilized in many different operating environments (Figure 2). One proposed architecture provides a protection model similar to the following:
A standard partition that provides an execution environment that is identical to today's IA-32 environment. In this environment, users will be able to run applications and other software just as they do on today's PC. The standard partition's obvious advantage is that it preserves the value of the existing code base (i.e. existing software does not need modification to run in the standard partition) and potential future software that is less security conscious. Unfortunately, it also retains the inherent vulnerabilities of today's environment.
A protected partition provides a parallel and co-existing environment that will run hardened software that makes use of the hardware-based security foundation enabled by LT. Within this environment, different applications can run in isolation, free from being observed or compromised by software running in the standard partition and other applications running in the protected partition. A protected partition requires an LT-capable processor, an LT-capable chipset, and a domain manager to provide domain separation. The TPM device protects secrets stored in an LT-enabled platform when the protected partition is not running. The LT protection model can support any domain manager, and future, enhanced OS kernel.
Applications can be written to execute within the protected partition or, in most cases, make use of both partitions. In the latter case, much of the application code could still reside within the standard partition (this code manages the human interface and handles I/O) and services written to manipulate secure or sensitive information, would move to modules written for the protected partition.
The protected partition is hardened against software attacks because:
LT's domain separation allows hardened software to run in memory pages that are protected from viewing or modification by unauthorized applications.
LT's memory protection prevents DMA engines from reading or modifying protected memory pages.
LT's protected graphics processes application data from the protected partition such that it is not visible either to software in the standard partition or other software running in the protected partition.
LT provides a trusted channel to keyboard and mouse that prevents keyboard snooping and/or modification of user's keystrokes or mouse movements.
More Architectural Details on a Protected Environment
Booting up a protected partition
LT supports the ability to launch protected environments without platform reboot, and legacy software is able to run unmodified in a standard partition. Typically, a protected partition is launched by a request to an OS component that is LT-aware. In response to such a launch request, memory spaces are allocated for the protected partition and marked protected. The domain manager is loaded into the designated memory spaces and registered by an authenticated code module (AC).
The launch of a protected execution environment occurs in stages. These are designed to ensure that the processor and the chipset recognize and participate in the launch, that all participants launch the same environment, and that there is no interference with the launch process. The stages include:
1. Ordinary software running on an LT processor executes a new SENTER instruction to initiate the launch process. This new instruction triggers a sequence of handshakes. At the conclusion of this first round of hand-shakes, the processor and chipset are ready to be brought into a protected environment.
2. The processor loads an authenticated code module into internal private memory, authenticates it, registers its identity in a platform configuration register (PCR) in the TPM, and then invokes it. The AC checks that there is no improperly configured hardware, enables memory protection for the proposed domain manager, records the identity of the domain manager in a TPM PCR, then transfers execution control to the domain manager.
Exiting a protected partition
When a protected partition is no longer needed, LT supports the take-down of the protected environment. This is again performed in stages.
1. The domain manager is responsible for cleaning up the protected partitions, ensuring that no secrets are left behind in either memory or registers. These actions include re-sealing secrets to be placed in persistent storage, and scrubbing the contents of protected partition pages.
2. The domain manager invokes a new instruction SEXIT to exit. The SEXIT instruction triggers a sequence of hand-shakes and then exits the protected environment.
Special event protections
Most normal system events, including exceptions and interrupts, are handled within the protection boundaries established by the partitions. Such events may be serviced within the partition, or may be trapped to the domain manager for service (depending on the nature of the event).
However, certain abnormal system events can potentially result in a transfer of control to agents running outside a protected partition, creating a potential venue of attack to confidential data residing in memory. LT processors and chipsets include hardware support that can detect and handle these events in a manner that does not permit the exposure of secrets or any tampering with protected execution. For example, certain system conditions could force a system reset without permitting the domain manager to first remove secrets from memory. LT hardware protections provide that, following an unanticipated reset, memory that might contain secrets is scrubbed before it can be accessed by entrusted software.
More on Attestation and Trust
Unsealing and sealing secrets
LT provides the capability to seal and unseal secrets with the assistance of a TPM v.1.2 device. This capability ensures that a secret generated by one domain manager or environment is not available to another domain.
The basis of this protection lies with theTPM's Storage Root Key (SRK), a public/ private key pair. The SRK private key never leaves the TPM. Any data encrypted with the SRK public key can only be decrypted by the corresponding SRK private key. As the private key never leaves the TPM, only this TPM may decrypt this data.
The TPM provides a SEAL operation, which permits data and a list of PCRs to be encrypted into a blob using a TPM storage key. The resulting encrypted blob may be stored anywhere. A corresponding UNSEAL operation decrypts the blob, but will not expose decrypted data unless the saved PCR values match current PCRs. This operation permits a domain manager to seal data to the current PCR values representing its current protected environment; the resulting blob can only be unsealed to expose the data if the identical domain manager is running.
Typically, a domain manager generates its own bulk encryption key, to be used in software, and seals this key using the TPM. The bulk encryption key is then used to encrypt all secrets managed by this domain manager, and may also be used to encrypt secrets for the applications running in the protected partition.
Establishing Initial Trust
A sealed secret can only be unsealed and accessed by the same domain manager environment. If a secret known only to a user was sealed to an environment that the user chose to trust, then if this secret can be re-displayed the user knows the same trusted environment is currently running. A similar method uses a secret shared with a remote agent, allowing the remote agent to know that the same trusted environment is currently running. But that leaves the question of how the user or remote agent determines that the environment should be trusted before a shared secret exists. To put the question more succintly: how do we determine initial trust?
LT supports an optional, verifiable reporting mechanism, called attestation. Attestation permits either the user or, optionally, a remote agent to measure the currently running environment using measurement and reporting mechanisms supported by the TPM. Based upon these reported measurements, the user or remote agent may use this information to decide whether to trust the current platform environment.
For a remote agent, the attestation process involves standard cryptographic methods. A remote agent generates a random value (called a nonce or challenge), and sends it to the system to be tested. At that system, the TPM creates a record containing the nonce and the current PCR values (which represent the currently running domain manager environment). The TPM signs this record with its private key and the signed record is returned to the remote agent, along with the TPM's public key and credentials. The remote agent may examine the credentials to determine that this public key does; in fact, represent a real TPM, then uses the public key to verify the signature on the record and, then extracts the data from the record. The extracted data may now be checked against various lists to determine if this is an environment acceptable to the remote agent.
Attesting the environment of a focal machine to a human user is more challenging,
given that most humans cannot perform cryptographic calculations in their heads. There are at least three methods a user may choose from to identify the local machine environment and make a trust decision:
1. Assuming that a system is in its original state (as delivered from an OEM that
a user trusts), the user may simply choose to trust this initial configuration. The user would be advised to create a secret (e.g. a favorite phrase or quote) to be sealed to this environment. As long as this secret can be displayed to the user on subsequent boots, the user has confidence that the same environment is running.
2. A portable token capable of cryptographic operations may be used to act as a "remote agentlike" proxy for the user. This token can be loaded with measurements of valid environment configurations at the local retailer. Such a portable token can then be connected to the PC and performs attestation of the user system in a manner identical to that described for remote agents, The portable token could then report pass/fail.
3. The user may request that a remote agent perform attestation of the system. However, this leaves the problem of how the remote agent safely reports this information back to the user, given that the user cannot (yet) trust the software environment on the system. There are at least two methods of achieving this:
o If the user has a portable token, the remote agent's results can be
communicated using cryptographically secured protocols to the portable token which displays the result for the user.
o The remote agent provides the results "out-of-band", perhaps using an automated phone menu or mail.
CONCLUSION
LaGrande Technology (LT) is a highly versatile set of hardware enhancements that will come to Intel processors, chipsets and platforms over the next 2 to 3 years. LT creates a hardware foundation, on the client PC platform, that can help protect the confidentiality and integrity of data stored or created from software based attacks. It does this by enabling an environment where applications can run within their own space, protected from all other software on the system. In turn, this can help to protect vital data and processes from being compromised by malicious software running on the platform. LT is expected to be available in Desktop & Mobile platforms for the Business segment in approximately the next two to three years.
No comments:
Post a Comment
leave your opinion